Control Status
Track the implementation status of compliance controls across all frameworks.
Control Status
The Control Status card gives you visibility into how your compliance controls are performing. Controls are the specific requirements from compliance frameworks—and tracking their status is essential for demonstrating compliance.
What Are Controls?
Controls are the individual requirements defined by compliance frameworks. Examples:
| Framework | Control Example | Requirement |
|---|---|---|
| SOC 2 | CC6.1 | Implement logical access security |
| ISO 27001 | A.9.4.1 | Information access restriction |
| HIPAA | 164.312(a)(1) | Access control implementation |
| GDPR | Article 5(1)(f) | Security of processing |
Each framework has dozens to hundreds of controls. The Control Status card tracks them all.
Control Status Categories
Controls can be in one of these states:
| Status | Icon | Meaning |
|---|---|---|
| Implemented | ✅ | Control is fully in place with evidence |
| Partially Implemented | ⚠️ | Some aspects implemented, gaps remain |
| Not Implemented | ❌ | Control not yet addressed |
| Not Applicable | ➖ | Control doesn't apply to your organization |
| Under Review | 🔄 | Being evaluated or remediated |
Understanding the Control Status Card
The dashboard card shows:
- Total controls - Count across all enabled frameworks
- Implementation percentage - What portion is implemented
- Status breakdown - Visual bar showing status distribution
- Framework selector - Filter to see specific framework status
A control marked "Implemented" in one framework may count toward multiple frameworks if the same control maps across standards.
Viewing Control Details
Click the Control Status Card
Opens the full control list view with filtering options.
Filter by Framework
Select a specific framework to see only its controls, or view all.
Filter by Status
Focus on "Not Implemented" controls to prioritize work.
Click a Control
Opens the control detail view with:
- Full control text and requirements
- Linked evidence documents
- Associated gaps
- Implementation notes
How Controls Get Their Status
Controls are updated through several mechanisms:
1. AI Document Analysis
When you upload a policy or procedure document, AI analyzes it against controls:
- Finds controls the document addresses
- Updates status based on coverage quality
- Creates gaps where coverage is incomplete
2. Manual Updates
You can manually update control status:
- Navigate to the control
- Click "Update Status"
- Select the new status
- Add notes explaining the status
3. Gap Resolution
When you resolve a compliance gap:
- The associated control's status improves
- Evidence links are updated
- Implementation notes are added
4. Workflow Completion
Completing a remediation workflow can:
- Mark controls as implemented
- Add workflow outputs as evidence
- Update multiple controls at once
Control Families
Controls are organized into families or categories:
SOC 2 Trust Service Criteria
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
ISO 27001 Annex A
- A.5: Information Security Policies
- A.6: Organization of Information Security
- A.7: Human Resource Security
- A.8: Asset Management
- A.9: Access Control
- A.10: Cryptography
- A.11: Physical and Environmental Security
- A.12: Operations Security
- A.13: Communications Security
- A.14: System Acquisition, Development
- A.15: Supplier Relationships
- A.16: Incident Management
- A.17: Business Continuity
- A.18: Compliance
Prioritizing Control Implementation
By Severity Impact
Focus on controls that:
- Address critical security gaps
- Are frequently audited
- Protect sensitive data
By Audit Timeline
If an audit is approaching:
- Focus on the framework being audited
- Prioritize "Not Implemented" controls
- Gather evidence for "Partially Implemented"
By Efficiency
Some controls map to multiple frameworks:
- Implementing access control covers SOC 2 CC6 and ISO 27001 A.9
- This "double dipping" maximizes efficiency
Don't mark controls as "Implemented" without proper evidence. Auditors will verify, and false claims can result in audit failures.
Control Evidence
Each control should have supporting evidence:
| Evidence Type | Examples |
|---|---|
| Policies | Written security policy documents |
| Procedures | Step-by-step operational guides |
| Screenshots | Configuration or system settings |
| Logs | Access logs, audit trails |
| Reports | Vulnerability scans, assessments |
| Attestations | Signed statements from personnel |
Linking Evidence
- Navigate to a control
- Click "Add Evidence"
- Select from uploaded documents or upload new
- Add notes explaining how the evidence supports the control
Control Status Reports
Generate reports for:
- Executive summary - High-level status across frameworks
- Detailed control list - Full listing with status and evidence
- Gap analysis - Controls lacking implementation or evidence
- Audit preparation - Specific framework readiness report
Access reports via Settings > Reports or the Control Status detail view.
Common Questions
What happens when I enable a new framework?
All controls from that framework are added with "Not Implemented" status. PartnerAlly then analyzes your existing documents to update statuses automatically.
Can I mark a control as "Not Applicable"?
Yes. If a control doesn't apply to your organization:
- Navigate to the control
- Change status to "Not Applicable"
- Document the reason (required for audits)
How do controls relate to gaps?
- A control is a requirement
- A gap is a deficiency in meeting that requirement
- Resolving gaps improves control status
- One control can have multiple gaps
Next Steps
- Compliance Gaps - View gaps by control
- Documents - Upload evidence
- Workflows - Create remediation workflows